Officials from RSA Security are advising customers of the company's BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that were recently revealed to contain a backdoor engineered by the National Security Agency (NSA).

An advisory sent to select RSA customers on Thursday confirms that both products by default use something known as Dual EC_DRBG when creating cryptographic keys. The specification, which was approved in 2006 by the National Institute of Standards and Technology (NIST) and later by the International Organization for Standardization, contains a backdoor that was inserted by the NSA, The New York Times reported last week. RSA's advisory came 24 hours after Ars asked the company if it intended to warn BSAFE customers about the deliberately crippled pseudo random number generator (PRNG), which is so weak that it undermines the security of most or all cryptography systems that use it.

"To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG," the RSA advisory stated. "Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation" on RSA's websites.

The BSAFE library is used to implement cryptographic functions into products, including at least some versions of the McAfee Firewall Enterprise Control Center, according to NIST certifications. The RSA Data Protection Manager is used to manage cryptographic keys. Confirmation that both use the backdoored RNG means that an untold number of third-party products may be bypassed not only by advanced intelligence agencies, but possibly by other adversaries who have the resources to carry out attacks that use specially designed hardware to quickly cycle through possible keys until the correct one is guessed.

McAfee representatives issued a statement that confirmed the McAfee Firewall Enterprise Control Center 5.3.1 supported the Dual_EC_DRBG, but only when deployed in federal government or government contractor customer environments, where this FIPS certification has recommended it. The product uses the newer SHA1 PRNG random number generator in all other settings.

The NIST certification page lists dozens of other products that also use the weak RNG. Most of those appear to be one-off products. More significant is the embrace of BSAFE as the default RNG, because the tool has the ability to spawn a large number of derivative crypto systems that are highly susceptible to being broken.

In the beginning ...

From the beginning, Dual EC_DRBG—short for Dual Elliptic Curve Deterministic Random Bit Generator—struck some cryptographers as an odd choice for one of NIST's officially sanctioned RNGs. It was literally hundreds of times slower than typical RNGs, and its basis in "discrete logarithm" mathematics was highly unusual in production environments.

"I personally believed that it was some theoretical cryptographer's pet project," one cryptographer who asked not to be named told Ars. "I envisioned a mathematician, annoyed at the lack of theoretical foundation in random number generation, badgering his way into an NIST standard."

A year after NIST approved the RNG as a standard, two Microsoft researchers devised an attack that allowed adversaries to guess any key created with the RNG with relatively little work.

Johns Hopkins professor Matt Green recounts that failing and a wealth of other peculiarities surrounding the embrace of Dual_EC_DRBG in an exhaustive technical analysis published Wednesday. Among them, when Dual_EC_RNG was adopted, was that it had no security proof.

"In the course of proposing this complex and slow new PRNG where the only frigging reason you'd ever use the thing is for its security reduction, NIST forgot to provide one," Green wrote. "This is like selling someone a Mercedes and forgetting to include the hood ornament."

In an e-mail, RSA Chief of Technology Sam Curry defended the decision-making process that went into making the RNG the default way for BSAFE and Data Protection Manager to generate keys.

"The length of time that Dual_EC_DRBG takes can be seen as a virtue: it also slows down an attacker trying to guess the seed," he wrote. He continued:

Plenty of other crypto functions (PBKDF2, bcrypt, scrypt) will iterate a hash 1000 times specifically to make it slower. At the time, elliptic curves were in vogue and hash-based RNG was under scrutiny. The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard. SP800-90 (which defines Dual EC DRBG) requires new features like continuous testing of the output, mandatory re-seeding, optional prediction resistance, and the ability to configure for different strengths.

It will take time for people to ferret out all the products that use Dual_EC_DRBG, particularly as the sole or default RNG. Readers who know of others are invited to leave that information in a comment to this post.

Officials from RSA Security are advising customers of the company's BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that was recently revealed to contain a backdoor engineered by the National Security Agency.

Due to the debate around the Dual EC DRBG standard highlighted recently by the National Institute of Standards and Technology (NIST), NIST re-opened for public comment its SP 800-90 standard which covers Pseudo-random Number Generators (PRNG). For more information about the announcement see:

The ITL Security Bulletin mentioned in this announcement includes the following:

“Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used.”

The currently released and supported versions of the BSAFE libraries (including Crypto-J 6.1.x and Crypto-C ME 4.0.x) and of the RSA DPM clients and servers use Dual EC DRBG as the default PRNG, but most libraries do support other PRNGs that customers can use. We are providing guidance to our customers on how to change the PRNG from the default in their existing implementation.

In the current product documentation, RSA has provided technical guidance for RSA BSAFE Toolkits and RSA DPM customers to change the PRNG in their implementation.

RSA will change the default RNG in RSA BSAFE Toolkits and RSA DPM as appropriate and may update the algorithm library as needed.

Recommendation:

To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG. Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation. In addition to the product documentation, technical guidance, including how to change the default PRNG to another PRNG in most libraries, is also available at

Why do most people buy BSAFE? Because it's FIPS140-2 certified, and they either need that, or they (invalidly) believe it's a certification which has value to their product.

BSAFE is an expensive product. It is a VALIDLY expensive product (external certification to FIPS140-2 costs hundreds of thousands of dollars per release). It's not an open source crypto library developed by a guy in his basement: it's a substantial team needed to maintain the processes and procedures needed to get that certification.

So... let's follow the logic:

1. RSA (EMC) makes a substantial development investing in this product2. EMC needs this product to be revenue and profit positive (sorry if this is a shock to anyone)3. FIPS140-2 certification drives the majority of this product's sales4. FIPS140-2 specifies a range of other NIST standards, defining specific approved algorithms5. NIST approved this algorithm

Sam Curry - also very credible in the crypto area - gave a very reasonable explanation as to it's selection as the default. Yes, it has now been shown to be an issue, in the larger context of NSA (and therefore NIST) misbehavior. RSA has done the right thing here.

And BTW, it's "RSA". It hasn't been "RSA Security" in many years. Strictly speaking, it's "RSA, the Security Division of EMC". Ars, you could at least get the organization's name correct.

Disclaimer: I am an ex-RSA employee - I left the org some months ago. I retain no shares or interest in the company, beyond calling many of those who remain there valued colleagues and friends. I have a great deal of respect for their professionalism, competence and diligence, and am consequently highly irritated to read this article.